In this issue

It's that time of year when you look back over the events of the last
12 months and wonder just what you spent all your time doing and try to
find the answers to those niggling little questions like why a
weekly publication only produced 22 issues this year. As this is the
last issue of Apache Week for 2003 we thought we'd give you a mini
review of the year.

Under Development: The split in Apache 2 development between
the "stable" 2.0 tree and the "development" branch (labelled 2.1), has
produced five new minor releases this year, including various bug and
security fixes: Apache
2.0.48, Apache
2.0.47, Apache
2.0.46, Apache
2.0.45, and Apache
2.0.44. These releases have all maintained backwards
compatibility in the module interface, giving third party developers a
stable platform for 2.0 module development.

The CVS "review then commit" policy for the stable 2.0 branch, a
departure from the normal "commit then review" mode used up until late
2002, has continued to be applied throughout 2003 with little
contention. No releases have yet been made from the "development" 2.1
branch.

The Apache Portable Runtime library (APR), which underpins Apache 2,
has moved closer to a 1.0 release, making three point releases in 2003
up to the most recent 0.9.4 release. APR development was also recently split
between a 0.9 maintenance branch and a 1.0 stabilisation branch.

Most of the developers have spent the year focused on Apache 2 so there
were only two new 1.3 releases this year:
Apache 1.3.28 which
fixed a few minor security issues, added a
LimitInternalRecursion directive, and fixed
some bugs, and
Apache 1.3.29 to fix
a minor security issue and a few bugs.

Security in Apache 1.3:
No major security issues were found in Apache 1.3 this year, with only two
minor issues being fixed by the 1.3.28 and 1.3.29 releases:

Security in Apache 2.0:
A number of security issues were found and fixed in Apache 2.0 this year:

High risk:

CAN-2003-0245 APR remote crash. A bug in versions between
2.0.37 and 2.0.45 allowed the possibility of a remote attacker to crash
or possibly execute arbitrary code through mod_dav, mod_ssl, and other
mechanisms. No exploit has been seen for this issue.

CAN-2003-0132 Line feed memory leak DoS.
A memory leak allowed remote attackers to cause a denial of service
by sending lots of linefeed characters.

Moderate risk:

CAN-2003-0017 Apache can serve unexpected files.
This issue affected only Windows platforms and allowed remote attackers
to build up a list of files in the document root even if indexes
were disabled.

All administrators should check their systems to make sure that Apache and all
the supporting components being used have either been updated to the most
recent releases, or to releases that contain back-ported patches to fix the
security issues.

SANS together with the FBI updated their Top 20 Vulnerabilities list
in October, a list of the most commonly exploited vulnerable services.

Apache gets a mention as one of the top ten vulnerable services for
Unix, although most of the time it is third party applications or
poorly written scripts that are to blame for successful attacks. A
checklist provides useful advice on how to make Apache and the related
components more secure.

Conferences:
ApacheCon US 2003
was held in Las Vegas in November 2003. Although the conference was less
extravagant than the previous ApacheCon conferences, the quality of the
sessions and speakers was as impressive as ever.
The O'Reilly Open Source Convention
also had a large Apache presence.

Surveys: Netcraft show the total
number of Apache-based servers found by their survey rising from 22
million in January to 31 million in December and with continuing rises
in the market share - moving from 63% in January to end the year at
over 68%.
Netcraft also found that over 98% of SSL sites that had valid third
party certificates were capable of using strong encryption. This
percentage has increased dramatically since the expiration of the RSA
patent and the opening of US export controls; In September 2000 only
79% of sites were capable of strong encryption.

Newsletter: The first issue of the official Apache Newsletter was
launched in August. The bi-monthly newsletter aims to cover all of the
Apache Software Foundation projects and is packed with development
news as well as details of all the new releases.

mod_perl embeds the Perl programming language in the Apache web
server, giving rise to a fast and powerful web programming
environment. "Practical mod_perl" from O'Reilly
aims to be the definitive book on
how to use, optimise and troubleshoot mod_perl.

The book is aimed at both server administrators and application
developers, and is well organised so that both groups of readers can
easily find what they need. The bulk of the book is split into four
main parts, covering administration, performance tuning, database
issues and troubleshooting, all in relation to mod_perl 1.0. A
smaller fifth part covers the differences between mod_perl 1.0 and the
as-yet-unreleased mod_perl 2.0, and finally there are a number of
appendices containing example code for common tasks, information on
useful Perl modules, and some information for ISPs wishing to offer
mod_perl to their customers.....

The book as a whole is focused and well written, and the authors'
knowledge of and passion about mod_perl is obvious. It's an excellent
read and will undoubtedly make an excellent reference afterwards;
O'Reilly have attempted to create the definitive book on mod_perl and
they have succeeded admirably.

Our friends at O'Reilly have given us four copies of the book
"Practical mod_perl" to give away in our festive competition. For a
chance to get your hands on a copy, just match the punchline to this
festive joke:

Which of these is not a popular scripting language?
A) Python
B) Perl
C) Penguin

Send your answer to santa@apacheweek.com
to reach us no later than January 5th 2004.
Your email address will not be used for
anything other than to let you know if you won. Four winners
will be drawn at random from all correct entries submitted.
One entry per person (we disqualify anyone sending
duplicates), no cash alternative (we're skint), editors'
decision is final (bah Humbug!).